CVE-2014-8150

Current Description

CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.

Evaluator Description

CWE-93: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

Referenced by CVEs:CVE-2015-3144

Basic Data

PublishedJanuary 15, 2015
Last ModifiedJanuary 05, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux7.0*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationHaxxLibcurl6.0*******
    2.3ApplicationHaxxLibcurl6.1*******
    2.3ApplicationHaxxLibcurl6.1beta******
    2.3ApplicationHaxxLibcurl6.2*******
    2.3ApplicationHaxxLibcurl6.3*******
    2.3ApplicationHaxxLibcurl6.3.1*******
    2.3ApplicationHaxxLibcurl6.4*******
    2.3ApplicationHaxxLibcurl6.5*******
    2.3ApplicationHaxxLibcurl6.5.1*******
    2.3ApplicationHaxxLibcurl6.5.2*******
    2.3ApplicationHaxxLibcurl7.1*******
    2.3ApplicationHaxxLibcurl7.1.1*******
    2.3ApplicationHaxxLibcurl7.2*******
    2.3ApplicationHaxxLibcurl7.2.1*******
    2.3ApplicationHaxxLibcurl7.3*******
    2.3ApplicationHaxxLibcurl7.4*******
    2.3ApplicationHaxxLibcurl7.4.1*******
    2.3ApplicationHaxxLibcurl7.4.2*******
    2.3ApplicationHaxxLibcurl7.5*******
    2.3ApplicationHaxxLibcurl7.5.1*******
    2.3ApplicationHaxxLibcurl7.5.2*******
    2.3ApplicationHaxxLibcurl7.6*******
    2.3ApplicationHaxxLibcurl7.6.1*******
    2.3ApplicationHaxxLibcurl7.7*******
    2.3ApplicationHaxxLibcurl7.7.1*******
    2.3ApplicationHaxxLibcurl7.7.2*******
    2.3ApplicationHaxxLibcurl7.7.3*******
    2.3ApplicationHaxxLibcurl7.8*******
    2.3ApplicationHaxxLibcurl7.8.1*******
    2.3ApplicationHaxxLibcurl7.9*******
    2.3ApplicationHaxxLibcurl7.9.1*******
    2.3ApplicationHaxxLibcurl7.9.2*******
    2.3ApplicationHaxxLibcurl7.9.3*******
    2.3ApplicationHaxxLibcurl7.9.4*******
    2.3ApplicationHaxxLibcurl7.9.5*******
    2.3ApplicationHaxxLibcurl7.9.6*******
    2.3ApplicationHaxxLibcurl7.9.7*******
    2.3ApplicationHaxxLibcurl7.9.8*******
    2.3ApplicationHaxxLibcurl7.10*******
    2.3ApplicationHaxxLibcurl7.10.1*******
    2.3ApplicationHaxxLibcurl7.10.2*******
    2.3ApplicationHaxxLibcurl7.10.3*******
    2.3ApplicationHaxxLibcurl7.10.4*******
    2.3ApplicationHaxxLibcurl7.10.5*******
    2.3ApplicationHaxxLibcurl7.10.6*******
    2.3ApplicationHaxxLibcurl7.10.7*******
    2.3ApplicationHaxxLibcurl7.10.8*******
    2.3ApplicationHaxxLibcurl7.11.0*******
    2.3ApplicationHaxxLibcurl7.11.1*******
    2.3ApplicationHaxxLibcurl7.11.2*******
    2.3ApplicationHaxxLibcurl7.12.0*******
    2.3ApplicationHaxxLibcurl7.12.1*******
    2.3ApplicationHaxxLibcurl7.12.2*******
    2.3ApplicationHaxxLibcurl7.12.3*******
    2.3ApplicationHaxxLibcurl7.13.0*******
    2.3ApplicationHaxxLibcurl7.13.1*******
    2.3ApplicationHaxxLibcurl7.13.2*******
    2.3ApplicationHaxxLibcurl7.14.0*******
    2.3ApplicationHaxxLibcurl7.14.1*******
    2.3ApplicationHaxxLibcurl7.15.0*******
    2.3ApplicationHaxxLibcurl7.15.1*******
    2.3ApplicationHaxxLibcurl7.15.2*******
    2.3ApplicationHaxxLibcurl7.15.3*******
    2.3ApplicationHaxxLibcurl7.15.4*******
    2.3ApplicationHaxxLibcurl7.15.5*******
    2.3ApplicationHaxxLibcurl7.16.0*******
    2.3ApplicationHaxxLibcurl7.16.1*******
    2.3ApplicationHaxxLibcurl7.16.2*******
    2.3ApplicationHaxxLibcurl7.16.3*******
    2.3ApplicationHaxxLibcurl7.16.4*******
    2.3ApplicationHaxxLibcurl7.17.0*******
    2.3ApplicationHaxxLibcurl7.17.1*******
    2.3ApplicationHaxxLibcurl7.18.0*******
    2.3ApplicationHaxxLibcurl7.18.1*******
    2.3ApplicationHaxxLibcurl7.18.2*******
    2.3ApplicationHaxxLibcurl7.19.0*******
    2.3ApplicationHaxxLibcurl7.19.1*******
    2.3ApplicationHaxxLibcurl7.19.2*******
    2.3ApplicationHaxxLibcurl7.19.3*******
    2.3ApplicationHaxxLibcurl7.19.4*******
    2.3ApplicationHaxxLibcurl7.19.5*******
    2.3ApplicationHaxxLibcurl7.19.6*******
    2.3ApplicationHaxxLibcurl7.19.7*******
    2.3ApplicationHaxxLibcurl7.20.0*******
    2.3ApplicationHaxxLibcurl7.20.1*******
    2.3ApplicationHaxxLibcurl7.21.0*******
    2.3ApplicationHaxxLibcurl7.21.1*******
    2.3ApplicationHaxxLibcurl7.21.2*******
    2.3ApplicationHaxxLibcurl7.21.3*******
    2.3ApplicationHaxxLibcurl7.21.4*******
    2.3ApplicationHaxxLibcurl7.21.5*******
    2.3ApplicationHaxxLibcurl7.21.6*******
    2.3ApplicationHaxxLibcurl7.21.7*******
    2.3ApplicationHaxxLibcurl7.22.0*******
    2.3ApplicationHaxxLibcurl7.23.0*******
    2.3ApplicationHaxxLibcurl7.23.1*******
    2.3ApplicationHaxxLibcurl7.24.0*******
    2.3ApplicationHaxxLibcurl7.25.0*******
    2.3ApplicationHaxxLibcurl7.26.0*******
    2.3ApplicationHaxxLibcurl7.27.0*******
    2.3ApplicationHaxxLibcurl7.28.0*******
    2.3ApplicationHaxxLibcurl7.28.1*******
    2.3ApplicationHaxxLibcurl7.29.0*******
    2.3ApplicationHaxxLibcurl7.30.0*******
    2.3ApplicationHaxxLibcurl7.31.0*******
    2.3ApplicationHaxxLibcurl7.32.0*******
    2.3ApplicationHaxxLibcurl7.33.0*******
    2.3ApplicationHaxxLibcurl7.34.0*******
    2.3ApplicationHaxxLibcurl7.35.0*******
    2.3ApplicationHaxxLibcurl7.36.0*******
    2.3ApplicationHaxxLibcurl7.37.0*******
    2.3ApplicationHaxxLibcurl7.37.1*******
    2.3ApplicationHaxxLibcurl7.38.0*******
    2.3ApplicationHaxxLibcurl7.39*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCanonicalUbuntu Linux10.04***lts***
    2.3OSCanonicalUbuntu Linux12.04***lts***
    2.3OSCanonicalUbuntu Linux14.04***lts***
    2.3OSCanonicalUbuntu Linux14.10*******

Vulnerable Software List

VendorProductVersions
Debian Debian Linux 7.0
Canonical Ubuntu Linux 10.04, 12.04, 14.04, 14.10
Haxx Libcurl 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.4, 6.5, 6.5.1, 6.5.2, 7.1, 7.1.1, 7.10, 7.10.1, 7.10.2, 7.10.3, 7.10.4, 7.10.5, 7.10.6, 7.10.7, 7.10.8, 7.11.0, 7.11.1, 7.11.2, 7.12.0, 7.12.1, 7.12.2, 7.12.3, 7.13.0, 7.13.1, 7.13.2, 7.14.0, 7.14.1, 7.15.0, 7.15.1, 7.15.2, 7.15.3, 7.15.4, 7.15.5, 7.16.0, 7.16.1, 7.16.2, 7.16.3, 7.16.4, 7.17.0, 7.17.1, 7.18.0, 7.18.1, 7.18.2, 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 7.19.6, 7.19.7, 7.2, 7.2.1, 7.20.0, 7.20.1, 7.21.0, 7.21.1, 7.21.2, 7.21.3, 7.21.4, 7.21.5, 7.21.6, 7.21.7, 7.22.0, 7.23.0, 7.23.1, 7.24.0, 7.25.0, 7.26.0, 7.27.0, 7.28.0, 7.28.1, 7.29.0, 7.3, 7.30.0, 7.31.0, 7.32.0, 7.33.0, 7.34.0, 7.35.0, 7.36.0, 7.37.0, 7.37.1, 7.38.0, 7.39, 7.4, 7.4.1, 7.4.2, 7.5, 7.5.1, 7.5.2, 7.6, 7.6.1, 7.7, 7.7.1, 7.7.2, 7.7.3, 7.8, 7.8.1, 7.9, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.9.6, 7.9.7, 7.9.8

References

NameSourceURLTags
http://advisories.mageia.org/MGASA-2015-0020.htmlhttp://advisories.mageia.org/MGASA-2015-0020.htmlCONFIRM
http://curl.haxx.se/docs/adv_20150108B.htmlhttp://curl.haxx.se/docs/adv_20150108B.htmlCONFIRMVendor Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743CONFIRM
APPLE-SA-2015-08-13-2http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlAPPLE
FEDORA-2015-0418http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147856.htmlFEDORA
FEDORA-2015-0415http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147876.htmlFEDORA
FEDORA-2015-6864http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.htmlFEDORA
FEDORA-2015-6853http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.htmlFEDORA
openSUSE-SU-2015:0248http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.htmlSUSE
RHSA-2015:1254http://rhn.redhat.com/errata/RHSA-2015-1254.htmlREDHAT
61925http://secunia.com/advisories/61925SECUNIA
62075http://secunia.com/advisories/62075SECUNIA
62361http://secunia.com/advisories/62361SECUNIA
DSA-3122http://www.debian.org/security/2015/dsa-3122DEBIAN
MDVSA-2015:021http://www.mandriva.com/security/advisories?name=MDVSA-2015:021MANDRIVA
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlCONFIRM
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlCONFIRM
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlCONFIRM
71964http://www.securityfocus.com/bid/71964BID
1032768http://www.securitytracker.com/id/1032768SECTRACK
USN-2474-1http://www.ubuntu.com/usn/USN-2474-1UBUNTU
https://kc.mcafee.com/corporate/index?page=content&id=SB10131https://kc.mcafee.com/corporate/index?page=content&id=SB10131CONFIRM
GLSA-201701-47https://security.gentoo.org/glsa/201701-47GENTOO
https://support.apple.com/kb/HT205031https://support.apple.com/kb/HT205031CONFIRM